1. Field of the Invention
The present invention is related to anti-malware technology, and more particularly, to malware detection based on the behavior of applications running on a computer system.
2. Description of the Related Art
Detection of viruses and malware has been a concern throughout the era of the personal computer. With the growth of communication networks such as the Internet and increasing interchange of data, including the rapid growth in the use of e-mail for communications, the infection of computers through communications or file exchanges is an increasingly significant consideration. Infections take various forms and are typically related to computer viruses, Trojan programs or other forms of malicious code (i.e., malware).
Recent incidents of e-mail mediated virus attacks have been dramatic both for the speed of propagation and for the extent of damage, with Internet service providers (ISPs) and companies suffering from service problems and a loss of e-mail capability. In many instances, attempts to adequately prevent file exchange or e-mail mediated infections significantly inconvenience computer users. Improved strategies for detecting and dealing with virus attacks are desired.
A conventional approach to detecting viruses is signature scanning. Signature scanning systems use sample code patterns extracted from the known malware code and scan for the occurrence of these patterns in another program code. A primary limitation of the signature scanning method is that only the known malicious code is detected, that is, only the code that matches the stored sample signatures of known malicious code is identified as being infected. All viruses or malicious code not previously identified, and all viruses or malicious code created after the last update of the signature database will not be detected.
Another conventional approach is emulation of malware components. An ability to emulate an execution of a suspected malware component on a computer system prior to executing it on a user system is critical in terms of providing security and maintaining integrity of a computer system data. Emulation is typically used for anti-virus and malware detection. In order to analyze the behavior of malware components, such as viruses, and to collect statistics (heuristics), a computer system is emulated and the viruses are run on the emulated computer system. The behavior of the suspected component during emulation is logged. The behavior log is later compared to normal behavior patterns.
However, over the past decade malware components and viruses have become more sophisticated. Modern malware components can avoid emulation. Additionally, heuristic analyses of a potential malware component cannot always be performed in a timely manner. Event interception and on-the-fly synchronous analysis can also be used. For example, such a system is disclosed in the WO2008048665A2. However, a synchronous analysis delays the execution of the process generating the suspicious event. In turn, it causes a delay in functionality of the entire system.
Event filtering techniques are also used for analyzing the behavior of running suspicious applications. For example, such a method is described in the U.S. Pat. No. 7,406,199. The processes generating suspicious events which have been filtered out are checked first and then sent for further processing. An algorithm of a conventional filtering method, using a synchronous event processing, is depicted in FIG. 1.
In this method, an event is sent for processing after the process which triggered the event has been checked. After an occurrence of a system event is detected in real time, in step 110, a system driver processes the event through a number of filters in step 115. If the event passes through the filter(s) in step 120, the event is sent to be checked by system modules in step 130.
If in step 135, it is determined that the event is not clean (i.e., presents a potential threat to the system), the process that caused the event is terminated in step 150. If the event is determined to be clean (in step 135) or the event does not pass through the filter (in step 120), the event is released for further processing in step 140. This method is time consuming and requires a lot of system resources, which is also quite costly.
It is apparent that an improved efficient method for analyzing the behavior of applications running on a computer system is desired. Accordingly, there is a need in the art for a system and method that addresses the need for detection of malware based on the behavior of applications running on a computer system.